Specifically, Charles Schwab was found to have partially unencrypted communications, trading-related data stored unencrypted and sessions that are left valid serverside after logout. Fidelity meanwhile, had sessions valid serverside after logout, session cookies without proper attributes and a lack of some HTTP security headers.

Following up on similar research in 2017, Hernandez commented “it’s deeply concerning that some of the same vulnerabilities have still not been fixed”.

He found that usernames and passwords can easily be stolen from stock trading networks, with vulnerabilities including unencrypted authentication, communications and remote Denial of Service (DoS) able to leave applications useless.

“Imagine a stock trader in a coffee shop, using public Wi-Fi – an attacker would be able to easily perform a man-in-the-middle attack and identify or modify the network traffic that is unencrypted,” explained Hernandez. “For example, the attacker could see the username and password of the trader’s account and later login through a web browser, link his or her bank account, sell the stocks at market price to liquidate the investments, transfer the money, remove the added bank account and log out.”

Jennifer Steffens, chief executive of IOActive, said the discovery of major flaws in stock trading technologies will hopefully be a wake-up call to the financial industry. “They need to implement the strong security controls they already have in place for banking applications and follow industry best practices to properly develop mobile, desktop and web applications, and continuously scan them for vulnerabilities.”

All of the vendors impacted by these stock trading vulnerabilities have been notified, although IOActive cannot confirm whether or not they are fixed yet.

Related Articles

Most read stories...

World Markets (15 minute+ time delay)

This website is a part of Perspective Publishing Limited, registered in England no 2876166. By using this website you agree to our COOKIE POLICY and PRIVACY POLICY.